Horizon DaaS

The Horizon DaaS platform has multiple admin and user portal URLs. The Service Provider uses Service Center to manage the entire Horizon DaaS platform including all the tenant environments. The tenant administrator uses the Horizon Admin portal to manage the tenant part, like creating images, desktop pools and assigning users to desktop pools.

It’s optional (but recommended) to replace the default self-signed certificate for Service Center with a trusted certificate. For the Horizon Admin portal, it’s even a requirement, otherwise the end-users will receive a certificate warning each time they launch resources.

You can request these certificates via an SSH connection to the Service Provider appliance. By default, the Service Provider appliance have OpenSSL installed on it.

Requesting the certificate

If we follow the instructions provided by VMware, the certificate can be correctly requested. There is, however, one limitation regarding the Google Chrome browser.

Google Chrome requires you to also provide the Subject Alternative Name (SAN) during the certificate request, otherwise, you will get a certificate error in the browser stating the certificate is not trusted. When you hit F12 within the browser you will see the message “Subject Alternative Name Missing

missing_subjectAltName

The Internet Explorer (IE) and Firefox browsers do not have this problem. To fix this problem for Google Chrome, you will have to include the SAN in a configuration file during the certificate request.

You can safely use the following example for this configuration file (in this case openssl.conf, which is used in this case for the certificate for Service Center) – please replace everything in <bold>

Please Note: Sometimes the format is copied incorrectly. Please note the quotes (“) after copy.

[ req ]
default_bits = <2048>
default_md = sha512
prompt = no
encrypt_key = no

# base request
distinguished_name = req_distinguished_name

# extensions
req_extensions = v3_req

# distinguished_name
[ req_distinguished_name ]
countryName = “<NL>” # C=
stateOrProvinceName = “<Noord-Holland>” # ST=
localityName = “<Amsterdam>” # L=
postalCode = “<1234>” # L/postalcode=
streetAddress = “<Dorpstraat 1>” # L/street=
organizationName = “<Login Consultants>” # O=
organizationalUnitName = “<IT Support>” # OU=
commonName = “<ServiceCenter.domain.local>” # CN=
emailAddress = “<support@domain.local>” # CN/emailAddress=

# req_extensions

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = <ServiceCenter.domain.local>
DNS.2 = <SP1.domain.local>
DNS.3 = <SP2.domain.local>

Note: In the subjectAltName field, specify at least one DNS with the same name as the commonName. This can also be a wildcard, for example, *.domain.local. You can also include multiple DNS names and create a SAN certificate, as I have used in my example.

Use the following command-line to create the request:

openssl req -new -newkey rsa:2048 -nodes -keyout c:\temp\daas\daas2.key -out c:\temp\daas\daas2.csr -config c:\temp\daas\openssl.conf

Installing the certificate

You can safely follow the instructions VMware provided in the documentation:

  • For Service Center, instructions can be found here
  • Applying the Tenant certificates can be found here